Organizations looking to build trust among current and potential clients have a host of tools available to them—but one of the most effective is a SOC 2 audit. SOC 2 is an assessment framework overseen by the American Institute of Certified Public Accountants (AICPA). The SOC 2 audit is a robust evaluation process, whether Type 1 (short-term) or Type 2 (long-term). So, to guarantee success, organizations should turn to a SOC 2 implementation guide—like this one.
SOC 2 Implementation Guide for Service Organizations
SOC 2 is one of three primary System and Organization Controls (SOC) frameworks, which focus on assessing service organizations and generating reports for a specialized audience. The audit uses AICPA’s Trust Services Criteria (TSC) to gauge the effectiveness of your security system’s design (for Type 1) or operation (for Type 2). There are three stages to effective implementation:
- Implementing the primary Common Criteria, based directly on COSO Principles
- Implementing the secondary Common Criteria, extending one COSO Principle
- Implementing the Supplemental Criteria, comprising the remaining Trust Services Principles
This guide will walk through all elements of TSC (and SOC 2) implementation to prepare your organization for a streamlined audit and reporting process—ideally with RSI Security’s help.
Download Our SOC 2 Compliance Checklist
Implementing the COSO Based Common Criteria
Arguably the most critical component of the TSC framework is the collection of Common Criteria (CC). These criteria are the only ones in the framework that pertain to all five Trust Services Principles. A SOC 2 audit will always scan for CC Series criteria, but there are situations in which other principles’ respective criteria (e.g., A Series) do not apply—see below.
The first five CC categories within the TSC framework are all based directly upon principles from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework. There are 17 COSO Principles, almost all of which are reflected in the first 14 TSC criteria.
CC1 Series: The Control Environment
There are five CC1 Series criteria:
- CC1.1 – The entity demonstrates commitment to integrity and ethics by establishing clear standards, enforcing adherence, and addressing deviations (COSO Principle 1)
- CC1.2 – The board demonstrates independence from management, along with expert oversight of both development and deployment of internal controls (COSO Principle 2)
- CC1.3 – Management establishes logistics in support of objectives, such as structures and reporting lines that facilitate staff’s fulfillment of responsibilities (COSO Principle 3)
- CC1.4 – The entity demonstrates commitment to attracting, developing, and retaining quality staff—and appropriately planning for dismissal or succession (COSO Principle 4)
- CC1.5 – The entity demonstrates commitment to holding individuals accountable for their responsibilities with respect to internal controls and objectives (COSO Principle 5)
Request a Free Consultation
CC2 Series: Communication and Information
There are three CC2 Series criteria:
- CC2.1 – The entity demonstrates that decisions regarding internal control are informed by quality data and analysis generated or obtained by the entity (COSO Principle 13)
- CC2.2 – The entity demonstrates clear internal communication of information required to fulfill control responsibilities in support of its defined objectives (COSO Principle 14)
- CC2.3 – The entity demonstrates clear external communication of information related to internal and external responsibilities in support of its objectives (COSO Principle 15)
CC3 Series: Risk Assessment
There are four CC3 Series criteria:
- CC3.1 – The entity demonstrates explicit specification of objectives, empowering risk identification and assessment, reflective of financial goals, etc. (COSO Principle 6)
- CC3.2 – The entity demonstrates risk identification capacities, along with risk analysis procedures that inform deployment of its risk mitigation strategies (COSO Principle 7)
- CC3.3 – The entity demonstrates commitment to seeking out and addressing fraud in identification, analysis, and ultimate mitigation of risks to objectives (COSO Principle 8)
- CC3.4 – The entity demonstrates a capacity to identify and address any changes to external or internal environments that could impact system controls (COSO Principle 9)
CC4 Series: Control Monitoring
There are two CC4 Series criteria:
- CC4.1 – The entity demonstrates careful selection, development, and deployment of evaluations at regular intervals to assess the efficacy of controls (COSO Principle 16)
- CC4.2 – The entity swiftly identifies, evaluates, and communicates deficiencies in its controls to all stakeholders responsible for corrective actions (COSO Principle 17)
CC5 Series: Control Activities
There are three CC5 Series criteria:
- CC5.1 – The entity demonstrates selection and implementation of control activities contributing to risk mitigation in support of its defined objectives (COSO Principle 10)
- CC5.2 – The entity demonstrates selection and deployment of general technological controls, beyond risk mitigation, in support of defined objectives (COSO Principle 11)
- CC5.3 – The entity demonstrates commitment to deploying all of its control practices according to clearly defined policies, establishing expectations (COSO Principle 12)
Implementing the Remaining Common Criteria
Along with the prior CC Series, dedicated to individual COSO Principles, there are also several CC series that expand upon one COSO Principle in particular: principle 12.
Specifically, the TSC’s Series CC6, CC7, CC8, and CC9 all correspond to COSO Principle 12’s call for clear policies that put security plans into action and according to supplemental criteria. Namely, each respective series is dedicated to one of the supplemental criteria named in the COSO framework—which are not to be mistaken with the other supplemental criteria enumerated in the TSC proper (A Series, etc.).
CC6 Series: Logical and Physical Access
There are eight CC6 Series criteria:
- CC6.1 – The entity implements controls to restrict logical access to protected information through user identification and authentication, network segmentation, and encryption
- CC6.2 – The entity ensures secure creation, management, and deletion of internal and external user accounts before, during, and after individuals are granted data access
- CC6.3 – The entity manages data access, including authorization and revocation, based on users’ responsibilities—including consideration of least privilege and segmentation
- CC6.4 – The entity installs physical restrictions, such as barriers, and other measures to prevent unauthorized access to devices or spaces containing protected information
- CC6.5 – The entity ensures that physical and logical restrictions are not removed from assets until it is no longer possible to read or recover protected information from them
- CC6.6 – The entity installs physical and proximal security measures focused on external threats, ensuring identification of all users through additional authentication methods
- CC6.7 – The entity secures all movement, transmission, and removal of all protected information into, out of, within, and between all internal and external locations
- CC6.8 – The entity installs controls to proactively prevent or immediately detect and address the introduction of any malicious or otherwise unauthorized software
CC7 Series: System Operations
There are five CC7 Series criteria:
- CC7.1 – The entity implements monitoring and detection measures to identify any changes that could result in new vulnerabilities and susceptibility to all vulnerabilities
- CC7.2 – The entity implements monitoring capacities to detect and analyze anomalies that could indicate malicious acts, determining whether they constitute security events
- CC7.3 – The entity implements monitoring capacities to analyze all identified security events to determine and prevent any compromises or failures of defined objectives
- CC7.4 – The entity also responds to all identified security events by deploying a robust incident response program to quarantine, eliminate, and communicate security incidents
- CC7.5 – The entity develops or acquires, implements, and deploys measures to recover from security incidents, including both short-term continuity and long-term prevention
CC8 Series: Change Management
There is just one CC8 Series criterion:
- CC8.1 – The entity ensures all changes necessary for objectives are first authorized and strategized, then deployed, documented, and adjusted in an appropriate, timely manner
CC9 Series: Risk Mitigation
There are two CC9 Series criteria:
- CC9.1 – The entity identifies then develops or acquires a risk mitigation program commensurate to potential business disruptions originating within the organization
- CC9.2 – The entity identifies then develops or acquires a risk mitigation program commensurate to threats and vulnerabilities pertaining to third parties (vendors, etc.)
Implementing the Supplemental Principle Criteria
Finally, the Common Criteria are not the only measures applicable in a SOC 2 audit report. An organization may also be assessing itself according to the remaining Trust Services Principles of Availability, Processing Integrity, Confidentiality, and Privacy. Each of these comes with a set of Supplemental Criteria that only apply to the Principle in question—and only if that Principle is being assessed as part of the engagement. Note that the order in which these criteria appear below reflects their order in the enumerated TSC list, which differs from their order elsewhere.
A Series: Supplemental Availability Criteria
There are three A Series criteria:
- A1.1 – The entity monitors and maintains system and processing capacities to ensure they are not exceeded and plan for modifications to services to accommodate demand
- A1.2 – The entity identifies and develops or acquires environmental protections, data backup measures, and other business continuity measures relative to its objectives
- A1.3 – The entity ensures the integrity of recovery measures through regular testing
C Series: Supplemental Confidentiality Criteria
There are two C Series criteria:
- C1.1 – The entity identifies confidential information and maintains confidentiality up to thresholds defined in any applicable laws, regulations, agreements, or expectations
- C1.2 – The entity disposes of confidential information when it is no longer required
PI Series: Supplemental Processing Integrity Criteria
There are five PI Series criteria:
- PI1.1 – The entity generates or obtains, then communicates information related to data processing capacities, including amount and kind of data processed, processes, etc.
- PI1.2 – The entity defines processes and procedures to control data processing inputs
- PI1.3 – The entity defines processes and procedures to control data processing outputs
- PI1.4 – The entity defines processes and procedures to deliver outputs per objectives
- PI1.5 – The entity defines processes and procedures to store inputs per objectives
P Series: Supplemental Privacy Criteria
Finally, there are eight distinct P Series of criteria, which comprise 18 P Series criteria in total:
- P1.0: Privacy Criteria Related to Notice and Communication of Objectives –
- P1.1 – The entity provides and updates notices clarifying privacy practices
- P2.0: Privacy Criteria Related to Choice and Consent –
-
-
- P2.1 – The entity clearly communicates choices regarding data processing
-
- P3.0: Privacy Criteria Related to Collection –
-
-
- P3.1 – The entity collects personal data per defined objectives and notices
- P3.2 – The entity clearly communicates stakes of consent to data collection
-
- P4.0: Privacy Criteria Related to Use, Retention, and Disposal –
-
-
- P4.1 – The entity limits the use of personal data to defined purposes and objectives
- P4.2 – The entity limits data retention to defined purposes and objectives
- P4.3 – The entity ensures safe disposal of data, per defined objectives
-
- P5.0: Privacy Criteria Related to Access –
-
- P5.1 – The entity grants data subjects the right of access to their personal data
- P5.2 – The entity makes changes to personal data based on subjects’ requests
- P6.0: Privacy Criteria Related to Disclosure and Notification –
- P6.1 – The entity obtains consent prior to disclosing personal data to third parties
- P6.2 – The entity creates and maintains records of authorized data disclosure
- P6.3 – The entity creates and maintains records of unauthorized data disclosure
- P6.4 – The entity ensures and assesses privacy commitments of its third parties
- P6.5 – The entity receives notice of potential data compromise from third parties
- P6.6 – The entity swiftly notifies all stakeholders after a breach of personal data
- P6.7 – The entity communicates data practices with subjects (upon request)
- P7.0: Privacy Criteria Related to Quality –
- P7.1 – The entity ensures retained personal information is current and relevant
- P8.0: Privacy Criteria Related to Monitoring and Enforcement –
- P8.1 – The entity implements measures to ensure prompt receipt, resolution, and communication of all inquiries regarding data privacy, per its defined objectives
Professional SOC 2 Auditing and Reporting
When preparing for a SOC 2 audit, the primary considerations are threefold: implement the primary Common Criteria, the secondary Common Criteria, and then the tertiary Supplemental Criteria for Availability, Processing Integrity, Confidentiality, and Privacy.
Beyond resources like this SOC 2 implementation guide, RSI Security offers comprehensive advisory and assessment services. This can begin with a quick consultation and tailored SOC 2 report examples, including SOC 2 Type 1 report examples or SOC 2 Type 2 report examples, as part of our initial readiness assessment. Then, we’ll work with you to install all controls and, once you’re ready to successfully complete an audit, assess them.
Contact us today to get started!